How to lock down SFTP user?

by meda   Last Updated July 09, 2018 05:02 AM

I really need some help, I have been trying to jail a user using ubuntu.

Thing to note:

  1. james is the user
  2. sshusers is the group
  3. /home/james/upload/ is the directory where I wish to lock user


AllowGroups sshusers 

Match Group sshusers
    ChrootDirectory /home/%u/upload/
    ForceCommand internal-sftp

I followed an answer on askubuntu , here are my commands

sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload


I get this error

Error:  Network error: Software caused connection abort
Error:  Could not connect to server

I investigated in the logs, and I found this:

fatal: bad ownership or modes for chroot directory component "/home/james/upload/"

But if I run the following commands

sudo chown root /home/james/upload
sudo chmod go-w /home/james/upload

It works perfect , user can connect, folder is locked BUT cannot drop files in the directory

Status: Listing directory /
Status: Directory listing successful
Status: Starting upload of C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm
Command:    put "C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm" "test"
Error:  /test: open for write: permission denied
Error:  File transfer failed

Please advice, I have search google so much all the links are purple now (visited :P)

I'm using filezilla client to test SFTP.

Answers 2

The ChrootDirectory directive expects that the chroot directory be owned by root, and not writable by anybody else. So you cannot jail a user to a directory and allow the user permission to write to that directory. You can:

Chroot to home, upload to upload/

The first set of commands you tried are correct for this:

sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload

However, the option in sshd_config would be:

Match Group sshusers
    ChrootDirectory %h
    ForceCommand internal-sftp

(%h is replaced by the home directory of the user being authenticated, equivalent to /home/%u for most cases.) In addition, to limit the visibility of folders in /home/james, and restrict write permission there, use the recursive options for chown and chmod in the first command for /home/james, and remove read permissions. The modified set would look like:

sudo chown root /home/james -R 
sudo chmod go-rwx /home/james -R  # Disallow traversing any directory in home 
sudo chmod go+x /home/james       # Allow traversing this directory
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwx /home/james/upload

Now the user should only be able to access /home/james/upload, or /upload.

Chroot to upload, upload to upload/some_directory

Pretty much the same as above, replacing /home/james/ with /home/james/upload, and /home/james/upload with /home/james/upload/some_directory. No particular gains.

Change the home directory of james to /upload

The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory." So we change james's home directory:

usermod -d /upload  user

Then set the ChrootDirectory to /home/%u. Use the same restrictions in the first option.

September 20, 2014 02:49 AM

The built-in sftp chroot mechanism in OpenSSH requires that the chroot directory be owned by root (and not writable by users). This could be a pain if the directory is an SMB/CIFS share for example, where you'd have to do bind mount.

One of the more flexible solution would be to use MySecureShell (

apt install mysecureshell

It works without any modification to your default OpenSSH settings. All you need to do is make your SFTP user login shell to mysecureshell, and it will take care of the ACL/virtual chroot for you. See the documentation for details,

For example, once you have installed MySecureShell, you can then add an SFTP user (restricted to their home directory) as below,

sudo useradd -m -d /home/sftpuser01 --shell /usr/bin/mysecureshell sftpuser01

From the above, the user 'sftpuser01' will get virtual chrooted to '/home/sftpuser01' in SFTP session.

It also provide a lot of flexible options to control ACL, group etc by configuring '/etc/ssh/sftp-config'. Please refer to for details.

July 09, 2018 04:43 AM

Related Questions

upload permissions

Updated August 13, 2017 08:02 AM

Is it safe to chown `/usr/local`?

Updated September 13, 2017 17:02 PM

Change owner of files recursively, but not directories

Updated October 15, 2015 09:01 AM